Menu
▾
▴
Re: [SM-USERS] Squirrelmail does not connect to SSL IMAP server after upgrading to PHP 5.6
|
From: Dmitry K. <dm...@ma...> - 2016-01-03 21:06:17
|
On 26/12/2015 22:52, Paul Lesniewski wrote: > On 12/14/15, Julien Métairie <ru...@ru...> wrote: >> Hi list, >> >> I am trying to upgrade my server running Squirrelmail from Debian Wheezy >> to Jessie. >> >> IMAP server is Courier-ssl using a self-signed certificate. >> >> Also note that Squirrelmail connects to 192.168.xx.xx, while the >> certificate is (auto-)issued to mail.mydomain.com. >> >> After upgrading, configtest.php complains that it couldn't connect to >> IMAP server because of a "Server error: (0)". >> >> The following is logged on the web server running Squirrelmail: >> >> PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL >> Error message:\nerror:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in >> /usr/share/squirrelmail/src/configtest.php on line 431. >> >> And on the IMAP mail server: >> >> couriertls: accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 >> alert unknown ca >> >> As far as I understand, PHP 5.6 enforces certificate checking. SM allows >> tweaking this checks with $imap_stream_options, but I can't manage to >> use it. For testing purpose, I added the following to >> /etc/squirrelmail/config_local.php : >> >> $imap_stream_options = array( >> >> 'ssl' => array( >> >> 'verify_peer' => false, >> >> ), >> >> ); >> >> But there is no change with or without this option. I also tried to turn >> 'allow_self_signed' on, without success. > > You might insert something like this: > > sm_print_r('STREAM OPTIONS:', $stream_options); > > Around line 763 of functions/imap_general.php > > Make sure your settings are being used. > > Otherwise, it sounds a little to me like your PHP installation isn't > functioning properly. Check here for the available options: > > http://php.net/manual/en/context.ssl.php > >> Squirrelmail 1.4.23, PHP version 5.6.14-0+deb8u1, Courier 4.15-1.6, all >> software are installed from Debian repository. >> >> I went through this thread [1] but didn't understood any final solution. >> >> What did I miss ? >> >> Regards, >> >> Julien >> >> [1] >> http://squirrelmail.5843.n7.nabble.com/svn-14501-TLS-handshaking-SSL-accept-failed-error-alert-unknown-ca-SSL-alert-number-48-td26087.html I had the same problem and I have created a patch (090_ssl.dpatch) for squirrelmail v1.5.1. If you don't use self-signed certificate on Cyrus, then you don't need allow_self_signed=true. I also attach few other patches (which perhaps are already this way or another present in upstream): 080_global.php_session.dpatch: Fixes PHP warning about session usage. 081_mail_fetch.functions.php_hex2bin.dpatch: hex2bin() function is present in PHP 090_ssl.dpatch: Fixes SSL and adds support for self-signed certificates. 091_abook_preg.dpatch: Fixes PHP warning concerning eregi() 099_warnings.dpatch: Fixes other PHP warnings (I am not sure I've done it right) -- With best regards, Dmitry |
